"Protection System" Fake AntiVirus



» If you can't view the screen shot, you may have to click the screen shot when you put the mouse over the it.
» Dependant upon your browser settings.

This sleek program is another to watch out for. So be don't be tricked.

It appears that the client was browsing bebo.com and facebook.com, when their browser was hijacked and redirected to another site. The page then began installing this program.

Below are entries found in the Registry(If you are unfamiliar with the registry...Leave this page NOW) and files associated with the program. Protection System AntiVirus View more images

Key Name:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32
  1. Value 0
    Name:
    Type: REG_SZ
    Data: C:\Program Files\Protection System\CoreExt.dll


Key Name:
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\SimpleShlExt
  1. Value 0
    Name:
    Type: REG_SZ
    Data: {5E2121EE-0300-11D4-8D3B-444553540000}


Key Name:
HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  1. Value 0
    Name:
    Type: REG_SZ
    Data: {5E2121EE-0300-11D4-8D3B-444553540000}


Key Name:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  1. Value 0
    Name:
    "{5E2121EE-0300-11D4-8D3B-444553540000}"="Protection System extension"


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  1. Value 14
    Name: braviax
    Type: REG_SZ
    Data: braviax.exe


Key Name:
HKEY_LOCAL_MACHINE\SOFTWARE\Protection System
  1. Value 0
    Name: Settings_0
    Type: REG_DWORD
    Data: 0x0
  2. Value 1
    Name: SecStatus_3
    Type: REG_DWORD
    Data: 0x1
  3. Value 2
    Name: SecStatus_4
    Type: REG_DWORD
    Data: 0x1
  4. Value 3
    Name: SecStatus_5
    Type: REG_DWORD
    Data: 0x1
  5. Value 4
    Name: FD
    Type: REG_DWORD
    Data: 0x0
  6. Value 5
    Name: GUID
    Type: REG_SZ
    Data: 554784455547837555478305
  7. Value 6
    Name: Data
    Type: REG_SZ
    Data: :2070:2215:2505:2650:2795:2940:3085:3230:3375:
  8. Value 7
    Name: swver
    Type: REG_SZ
    Data: 1.0
  9. Value 8
    Name: dbver
    Type: REG_SZ
    Data: 1.0
  10. Value 9
    Name: dbsigns
    Type: REG_SZ
    Data: 61473
  11. Value 10
    Name: InfectedFiles
    Type: REG_SZ
    Data: C:\WINDOWS\System32\mll_qic.dll,C:\WINDOWS\System32\msrepl40.dll,C:\WINDOWS\System32\olecli.dll,C:\WINDOWS\System32\rasser.dll,C:\WINDOWS\System32\shimeng.dll,C:\WINDOWS\System32\tsddd.dll,C:\WINDOWS\System32\wiashext.dll,C:\WINDOWS\System32\wucltui.dll,C:\WINDOWS\System32\Wbem\wbemcore.dll,C:\WINDOWS\xazyzeco.dll,C:\WINDOWS\Help\dkconcepts.chm,C:\WINDOWS\Help\windows.chm,C:\WINDOWS\Fonts\FRUTSI_C.TTF,C:\WINDOWS\Fonts\vga863.fon,C:\WINDOWS\System32\bidispl.dll,C:\WINDOWS\System32\c_10017.nls,C:\WINDOWS\System32\dplay.dll,C:\WINDOWS\System32\fxsst.dll,C:\WINDOWS\wmsetup10.log,C:\WINDOWS\Help\dijoy.hlp,C:\WINDOWS\Help\wbemtest.chm,C:\WINDOWS\Fonts\FRUTSB_A.TTF,C:\WINDOWS\Fonts\vga850.fon,C:\WINDOWS\System32\bcbsmp50.bpl,C:\WINDOWS\System32\c_037.nls,C:\WINDOWS\System32\docprop.dll,C:\WINDOWS\System32\fxsperf.dll,C:\WINDOWS\WMFDist11.log,C:\WINDOWS\Help\dialer.chm,C:\WINDOWS\Help\verifier.hlp,C:\WINDOWS\Fonts\Framdcn.TTF,C:\WINDOWS\Fonts\verdanaz.ttf,C:\WINDOWS\System32\batmeter.dll,C:\WINDOWS\System32\ctl3dv2.dll,C:\WINDOWS\System32\dnsapi.dll,C:\WINDOWS\System32\fxsevent.dll,C:\WINDOWS\WindowsUpdate.log,C:\WINDOWS\Help\ddeshare.chm,C:\WINDOWS\Help\twclient.chm,C:\WINDOWS\Fonts\frabk.ttf,C:\WINDOWS\Fonts\trebuc.ttf,C:\WINDOWS\System32\avicap.dll,C:\WINDOWS\System32\cscdll.dll,C:\WINDOWS\System32\dmremote.exe,C:\WINDOWS\System32\fxscfgwz.dll,C:\WINDOWS\smscfg.ini,C:\WINDOWS\Help\certmgr.hlp,C:\WINDOWS\Help\sounds.chm,C:\WINDOWS\Fonts\courfr.fon,C:\WINDOWS\Fonts\smallfe.fon,C:\WINDOWS\System32\ansi.sys,C:\WINDOWS\System32\compobj.dll,C:\WINDOWS\System32\dhcpmon.dll,C:\WINDOWS\System32\filemgmt.dll,C:\WINDOWS\QUICKEN.INI,C:\WINDOWS\Help\agt0415.hlp,C:\WINDOWS\Help\rsm.chm,C:\WINDOWS\Fonts\cga40woa.fon,C:\WINDOWS\Fonts\Rockeb.TTF,C:\WINDOWS\System32\accwiz.exe,C:\WINDOWS\System32\cmos.ram,C:\WINDOWS\System32\debug.exe,C:\WINDOWS\System32\eventvwr.msc,C:\WINDOWS\orun32.ini,C:\WINDOWS\Help\agt0405.hlp,C:\WINDOWS\Help\qosconcepts.chm,C:\WINDOWS\Fonts\BOOKOSBI.TTF,C:\WINDOWS\Fonts\Per_____.TTF,C:\WINDOWS\System\WFWNET.DRV,C:\WINDOWS\System32\cliconfg.rll,C:\WINDOWS\System32\dbmsrpcn.dll,C:\WINDOWS\System32\esent.dll,C:\WINDOWS\NSSetDefaultBrowser.ini,C:\WINDOWS\Help\access.chm,C:\WINDOWS\Help\phowto.chm,C:\WINDOWS\Fonts\ArialN.TTF,C:\WINDOWS\Fonts\OUTLOOK.TTF,C:\WINDOWS\System\setup.inf,C:\WINDOWS\System32\cisvc.exe,C:\WINDOWS\System32\d3drm.dll,C:\WINDOWS\System32\edlin.exe,C:\WINDOWS\KB971557.log,C:\WINDOWS\Media\Windows XP Default.wav,C:\WINDOWS\Help\nvwcpno.hlp,C:\WINDOWS\Fonts\8514sys.fon,C:\WINDOWS\Fonts\Lsansi.TTF,C:\WINDOWS\Tasks\SA.DAT,C:\WINDOWS\System32\cdfview.dll,C:\WINDOWS\System32\c_855.nls,C:\WINDOWS\System32\dsprop.dll,C:\WINDOWS\KB969897-IE7.log,C:\WINDOWS\Media\Windows XP Balloon.wav,C:\WINDOWS\Help\nvwcpja.hlp,C:\WINDOWS\Fonts\8514oeme.fon,C:\WINDOWS\Fonts\latha.ttf,C:\WINDOWS\Fonts\wst_swed.fon,C:\WINDOWS\System32\catsrvut.dll,C:\WINDOWS\System32\c_737.nls,C:\WINDOWS\System32\dskquoui.dll,C:\WINDOWS\KB961501.log,C:\WINDOWS\Media\Windows Feed Discovered.wav,C:\WINDOWS\Help\nvwcpfr.hlp,C:\WINDOWS\Fonts\8514fixg.fon,C:\WINDOWS\Fonts\ITCKrist.TTF,C:\WINDOWS\Fonts\wst_fren.fon,C:\WINDOWS\System32\capicom.dll,C:\WINDOWS\System32\c_28603.nls,C:\WINDOWS\System32\dsauth.dll,
  12. Value 11
    Name: LastScan
    Type: REG_DWORD
    Data: ******
  13. Value 12
    Name: Infected
    Type: REG_DWORD
    Data: 0x34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of files you may find in the:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"C:\program files\protection system" Folder
            Size          Name
  1. 2,005,140 bytes » blacklist.cga
  2. 3,478,520 bytes » core.cga
  3. 44,032 bytes » coreext.dll
  4. 49,152 bytes » firewall.dll
  5. 99,678 bytes » help.ico
  6. 2,535,424 bytes » psystem.exe
  7. 53,248 bytes » uninstall.exe


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  1. Protection System AntiVirus

  2. Protection System AntiVirus

  3. Protection System AntiVirus

  4. Protection System AntiVirus

  5. Protection System AntiVirus

  6. Protection System AntiVirus

  7. Protection System AntiVirus

  8. Protection System AntiVirus

  9. Protection System AntiVirus

  10. Protection System AntiVirus

  11. Protection System AntiVirus